Report calls on federal agencies to update medical device cybersecurity agreement

This browser does not support the video element.

Many medical devices like heart monitors or insulin pumps rely on connected networks.

They allow doctors, nurses, and other caretakers to track a patient’s status in real-time and that data can be put into an electronic health records system.

But those network connections can also put the devices at risk of cyber-attacks.

A watchdog report from the U.S. Government Accountability Office (GAO) reveals the federal agencies in charge of making sure these devices are protected need to update its cybersecurity agreement.

The report warns that although a cyber-attack against a medical device is not common, an attack has the potential for serious consequences.

“Cyber incidents that impact medical devices could delay critical patient care, reveal sensitive data, shut down health care provider operations, and necessitate costly recovery efforts,” the report said.

We spoke with GAO about the potential dangers.

“Say there was a physician operating on a patient in an operating room and some attack happened. That patient would be losing minutes upon minutes of getting that provided service that they need,” said Jennifer Franks, Director of GAO’s Center for Enhanced Cybersecurity.

According to the report, 53 percent of connected medical devices and connected devices in hospitals had known critical vulnerabilities as of January 2022.

The findings say the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) developed an agreement for practices to protect cybersecurity for medical devices, but that agreement hasn’t been updated in five years.

“Yes, you’re highlighting that you have defined shared goals. You have addressed bridging organizational gaps. You’ve even defined some of the leaders that should be responsible in our organization but things that you have not done are ensuring accountability or identifying the relevant participants that are highlighted in those agreements,” said Franks about the need for updates. “What this could really help the agencies to do is to just better monitor and assess and even communicate progress short or long term so if a vulnerability did take place, where are you going to get your information and who is going to be leading said information.”

In response, the federal agencies agreed with the recommendations and said they are working on making the updates.

VIDEO: 7 steps US companies can take to guard against cyberattacks

This browser does not support the video element.